How hackers are bypassing two-factor authentication

My guess is this will be the big news story in the next few days of how two factor authentication is broken. It’s not, but you know the news.

The rundown is that hackers are now creating phishing websites that ask for your credentials (the usual,) and when the two factor authentication is required they simply trigger a request to Google or whatever service is to fire it off, and then your victim enters it in, thinking they’re on the correct site.

Two factor authentication works the same as it ever has, it’s not been cracked, it’s just slightly more sophisticated phishing is in effect. You’re still handing over all your information because you didn’t check that you were actually on the right website.

Would you kindly hand me the key located underneath the keyboard?

So yeah… you ever get prompted to enter a 2FA code when you don’t think you should, just step back and go to the web site or service in a browser with you typing the URL, not clicking it.

Hopefully the services that have 2FA in place will start checking originating IPs against your devices and send that along with the code “looks like the person requesting access is located in Cyprus, you sure you want to give them this code? 274122”

MrMetacometThat is funny. I did a similar thing with the 15 month old granddaughter when she pops down to the "man cave"; my last sanctuary. There I have lots of cool stuff, but the best fun for her (and me)...

RockinRose WolfWe just got a good deal on Arlo Pro 2's on black Friday for a 4 pack only have one up for now. I want a good doorbell too that you don't have to pay a monthly fee. I hear Nest stuff is really good...

Paul MWhere possible I put smart devices onto a guest network - a separate VLAN on my switch and separate wifi SSID (I use Ubiquiti so I can have many virtual APs). I have strict firewall rules for OUTBOUND...

FYI @att we've been messed up north Nashville and South Nashville with about 40% packet loss but perfect connectivity to next hop. for most of the morning. Been on with support who shows no outages anywhere (even though downdetector and your twitter tend to indicate outages)